About this Show

The Communicators

Cybersecurity News/Business. (2012) Cybersecurity Analyst Charlie Miller and reporter Robert O'Harrow, Washington Post. New.

NETWORK

DURATION
00:30:00

RATING

SCANNED IN
San Francisco, CA, USA

SOURCE
Comcast Cable

TUNER
Channel 91 (627 MHz)

VIDEO CODEC
mpeg2video

AUDIO CODEC
ac3

PIXEL WIDTH
704

PIXEL HEIGHT
480

TOPIC FREQUENCY

Cyberspace 11, Charlie Miller 9, Washington 8, U.s. 6, Charlie 6, Us 4, Robert O'harrow 4, China 4, Pennsylvania 3, United States 3, Mr. Miller 3, Facebook 2, Nsa 2, Mr. O'harrow 2, D.c. 2, Moscow 2, Tweets 2, Iran 2, Washington Post 2, Vancouver 2,
Borrow a DVD
of this show
  CSPAN    The Communicators    Cybersecurity  News/Business.  (2012) Cybersecurity Analyst  
   Charlie Miller and reporter Robert O'Harrow, Washington...  

    October 27, 2012
    6:30 - 7:00pm EDT  

6:30pm
we have the chair of the pennsylvania republican party and the chairman of the montgomery county board of commissioners. "washington journal," with your calls, tweets, an email, live at 7:00 a.m. eastern on c-span. tomorrow morning on "newsmakers," kentucky senator rand paul will talk about his support of mitt romney. he will also talk about his views on u.s. foreign aid. join us for "newsmakers" at 10:00 a.m. eastern on c-span. >> we want to introduce to you robert o'harrow, an investigative reporter at the washington post. he has been riding an occasional series on cyber security threats for that newspaper. mr. o'harrow, welcome to "the communicators." let's start with 0 day. what is zero day? >> zero day is the name that
6:31pm
hackers give to a vulnerability and software that allows a bad guy into a computer system. these gaps take a lot of forms. they have not been previously discovered. so there is no way to block them. when a hacker has a zero day, with the right tools and school bills, they can't. into a system and take control. -- with the right tools and skills, they can take over system. >> how would you describe this series? >> it is really the mission that we were looking into cyber security and cyber war. the pentagon had declared cyberspace the environment of people and machines and networks as a new domain of war, and get we realize that maybe one in 1000 people really understood what cyberspace was and the
6:32pm
degree and depth of the vulnerabilities. so what we are trying to do with the zero day series is take pieces of it and explain the fundamentals and the platonic idea is that everybody from my mom and dad to congress and people around the country can understand, and so maybe start the process of coming up with ways to defend cyberspace. >> if you look at cyberspace in the united states right now, how would you describe security overall? much as we would describe crime or break-ins in a neighborhood. >> in the spirit of the explanatory mission, you cannot really talk about cyberspace and the united states. a computer user in washington, d.c., or in wichita, or san francisco is effectively working shoulder to shoulder with a computer user in beijing or moscow. there is literally milliseconds
6:33pm
of difference in space and time in cyberspace. i thought i would point that out. as for the security, the reality is is almost remarkable how vulnerable computer systems are. cyberspace is not what most people think it is. most people equate cyberspace with the internet, but if they want to think clearly about what cyberspace is, it is important note it is a gps system on new cars, it is the iphone, the droids, it is jetfighters, jet planes, anything driven by computers -- excuse me, computer code, and linked to networks can be part of cyberspace. and the vulnerabilities are almost stunningly pervasive. >> can you give an example? >> sure, charlie miller, who is a former government hacker,
6:34pm
who is now on the good side, a security specialist, one of the great hackers in the world, he last year decided to explore the vulnerabilities in the iphone. he found a vulnerability in the iphone that when he deployed it the right way, and this was for a contest, it enabled him to take over a portion of that iphone. industrial control computers are on a lot of systems, water systems, electric grids and so on. last year, a disgruntled hacker abroad went into a water system in south houston, texas, and got control of those computers. the list goes on and on. there are hacks of google, security firms. there are millions of attacks, literally millions of attacks around the world and intrusions on computer systems every day. probably the most phenomenal
6:35pm
attack involves a warm called stuxnet. in that case, the u.s. government, i think working with israel, but the united states government to felt -- the u.s. government develop a computer warned that went into the nuclear processing facilities in iran and disrupted those computers. >> it was developed by the u.s. government? >> yes, according to reporters. them what was its purpose? was it a defense mechanism, the defense department? >> no, it was a purely offensive, pre-emptive effort to slow the nuclear weapons processing capability of iran. >> you mentioned a charlie miller, and mr. miller is in st. louis, joining us today. mr. miller, what was your goal
6:36pm
in breaking into the iphone? >> well, and the particular case, it was for a contest, like robert mentioned. they have this contest every year. hackers across the world enter it. they have various devices. if you break into the devices, you win some cash it and devices also. i want contests earlier in my career. it was more about showing things like the iphone or desktops running apple software are vulnerable, because it was not really believed it was. now it is just i have shown vulnerabilities in the iphone, have shown a tax where i could send a text message to the iphone and taken over. these are all fixed now. part of the contest is all of these areas are fixed. it is a fun way to show what skills and everybody gets protected by the attacks we come up with. >> how long did it take you to break into the iphone and from where did you do it?
6:37pm
an office, where? >> the iphone attack, at the contest it only took a few seconds, but the preparation is the important part. it took me maybe a month of preparation with a colleague of mine. a few weeks of looking for a vulnerability, a few weeks before digging into that vulnerability and exploiting it to attack the iphone. the actual contest took place at a security conference in vancouver. i was actually physically in vancouver and they had and i found there. i attacked it and stole a bunch of data off of it and that was the proof i had succeeded. >> charlie miller, could you do this from your living room? could you break into a bank, break into other devices from your living room? >> that is the amazing thing about cyber security, you don't have to physically be anywhere. we are all connected, leslie, so devices, your phone, computer,
6:38pm
in the future your refrigerator, anything that is on the internet you can get to from basically anywhere. that is one of the things that makes defense difficult. you don't just have to defend from your neighbor. you have to defend from a guy in belarus. it is a different problem. >> robert o'harrow described you as a good guy hacker, white hat hacker. what does that mean. what is the mode of of some of the black hat hackers? >> the white hat, the good guy hackers, we are the guys who develop skills to do the same thing as the bad guys can do. we break into computers, but instead of breaking in and stealing information and causing problems, we tell everyone what we did, try to work with vendors to make things secure, give talks about security, how to
6:39pm
make it better. so while we can break in and do harm, we don't. we show how to break in to improve security. on the other hand, there is the actual bad guys. they have various ranges of motives, from just teenagers goofing off and trying to impress their friends to actual organized crime trying to steal money and credit card information to the government's trying to commit espionage and actual cyber warfare. there is a whole range of attackers on the black hat side. >> we did not get a lot of your biography, but you worked at the nsa for a while and are now with twitter. what did you do with an essay? >> i cannot say to much about nsa, but i worked there five years in their computer security group. i cannot say a whole lot more than that.
6:40pm
>> and umar with twitter now, correct? >> yep. so between that time, the last seven years, i distorted twitter a couple months ago, i was a security consultant. -- i just started with twitter, a couple months ago, before that i was a security consultant. basically take the role of a bad guy, break-in, show them what went wrong, how they could make it better so a real bad guy cannot do it. >> robert o'harrow, were you able to get in touch with any bad guy hackers and learn their motives? >> i have talked to bad hackers. the motives are, as charlie said, all over the place. i have watched details about bad hackers. if we know for example that some of them are preparing infiltrating systems with long- lasting threats in the event there is ever a cyber conflict or cyber war.
6:41pm
our power grids, national labs, corporate systems all over the u.s. are already -- have already been intruded, and it is believe there are already trojan horses. a lot of espionage is occurring. we know there are groups in russia and china, for example, that work regular hours breaking into systems and stealing information, massive amounts of information. the motives are the same modus that you might find it within your array of bad people -- money, money policing, intelligence, and prepping for cyber war. >> charlie miller, for casual users, regular users of the internet who may do online banking, surf the internet, send e-mail, what kind of protection would you recommend to those people?
6:42pm
>> well, the regular users are in pretty good place. we, and i we we mean security, the security industry has been working quite a few years to make that sort of thing secure, and it is pretty good. if you just use your browser, have an anti virus, you don't just go to read them sites, you are in pretty good shape. the biggest risk of, say, a tax, we talked about the iphone attack, that is still extremely rare. you are way more likely to lose your iphone in a bar that had a bad guy attack your phone. the one side is if your attackers are teenagers or organized crime, you play at half way save and you are not a big target, you're probably ok. if the more interesting thing, i think, is when you are the u.s. government or google or the white house, the matter what you
6:43pm
do, you are still a target. your attackers come instead of being teenagers, our whole branches of governments, military's from other countries, and there we don't really know what to do. there are a lot of open questions there. >> to follow-up on charlie's remarks, one of the things that is interesting, cyberspace is a collection of machines and people. people are part of the network. the very baddest of bad guys have taken on something called social engineering of a way of attacking. you may not be as inherently interesting as a target, but you may be vulnerable to social engineering because essentially what they're doing is pretending to be your friend, family member after doing homework. they may send an e-mail or direct you to website that is loaded with the attack code. if you are related to someone that they are targeting or if
6:44pm
you work at a company that the bad guys want to target, you may fall prey to social engineering. there is almost no way to stop it because of the nature of it. recently, we did a story about chinese hackers who were going after a gas pipeline companies, intelligence, contractors and washington, security consultants and others, and it was all part of the same campaign and it look like part of the sp nosh effort. and it was based on social engineering messages that look like they were coming from and house, but there were really coming from these chinese hackers. >> charlie miller, we talk about chinese hackers, iranian hackers. who are these people? are they employed by the government? >> we don't really know. we can trace back the attacks somewhat, but it is difficult. if the computer here in washington, d.c., is attacked,
6:45pm
we can trace the attack back to china, but that is not to say there is necessarily a person sitting at the computer in china. maybe the attack came from the computer which came from a computer in korea which came from a computer in germany which came from a computer in moscow we don't really know and it is difficult to trace back the attacks. that is one of the major differences between cyber war and conventional war. if some drives a tank across your border, you know who did it. if you get attacked, you may think it is the chinese but you don't know for sure and you don't know if it is a teenager or the chinese army. it is very difficult to ascertain where the attacks are coming from and who is doing it. we have gases, but we don't know for sure. >> charlie is relating to the core nature of cyberspace, it is network of networks. because of the fundamental architecture of these networks, data ounces from computer to
6:46pm
computer all the time. when he describes somebody in germany might be sending something through a computer in south korea that might be going through china, that is sort of the garden friday hot skip and jump for data in cyberspace. -- that is sort of the garden variety. it brings up an issue not just with cyber security but cyber war. if you don't know precisely who has attacked you, called attribution, then how do you respond in kind to prevent attacks in the future? that is one of the great dilemmas that our military has. how do you hold them accountable for stealing, damaging and what not. now, one has to believe and hope that the nsa, and i do actually, has cracked this problem to some degree, the attribution problems for corporations and many government agencies is a very real thing.
6:47pm
it is a very difficult problem in this digital age. >> robert o'harrow, you write about a company called tr itium. >> it is a company in richmond that came up with an interesting idea, not long after the web browsers, back in the 1990's, or released and use of the world wide web that lays over the top of the internet. it makes it all easy and we'll take for granted and it was becoming common. what they did is they realized that the web browser could be like universal control back to iraq devices anywhere in the world that were connected to the networks. -- that could direct devices anywhere in the world. your security camera, you could use your mouse to have the security camera looked left or right. you could be sitting in washington and control the camera in san francisco. theating systems all over
6:48pm
place. you might be controlling five buildings, high-rises, elevators, medical devices to some degree, and also access control for security. say i have the pentagon facility, a real example. but it turns out that tritium became so popular and move so quickly -- and profitable? >> its financials are not available, but one assumes -- they were acquired by honeywell several years ago, they're very popular and grew very quickly in their system is used in 52 countries now. but it turns out that it was vulnerable to a very well-known, rather old vulnerability that hackers it has known about, everybody has known about for years. i thought the story was valuable and instructive because it showed the gee whiz component
6:49pm
has sometimes blinded software makers and manufacturers, and the pockets that lay within reach has sometimes may be clouded their view of risked so they rushed forward with the technology before it is as secure as it probably should be. charlie has given some terrific talks about the incentive structures of four software makers, -- for the software makers, and whether they are properly in balance with making sure the software is secure. but i will let him speak for that. f >> mr. miller, if you would speak to that? >> sure, we are in a situation where we all run code that was written by a vendor like microsoft or cisco or whomever, and the problem is is very difficult to write secure code. whetherhard to measure code is secure, so even an
6:50pm
expert like myself, it is difficult for me to tell you given to programs which is more secure than the other. it is hard to measure and people don't want to necessarily pay for that. we all want to buy the latest gadget, the iphone that comes out or whatever, and we don't think to ourselves, how secure is this, maybe i should not by this because it is not secure. so companies, they are out to make money and that is what they are therefore, so they want to push products out the door, beat competitors, have the newest features, but they don't necessarily want to take the time that it takes to make sure their products are secure. consumers so far have not really demanded it, and so we all use the software and we are all vulnerable because the software is written in a way that was intended to maximize new features and profit, not to maximize security. >> charlie just raise an interesting issue, which is that
6:51pm
consumers, people have not asked for more secure products for the most part. that is related in part to the fact that very few people really understand cyberspace and how little works. we all love the benefits. it is miraculous, i would venture to say, charlie is among those who are thrilled with the miracle of the internet and all of the networks and computing power and the benefits that brings to all of us and society, but the fact is many people are afraid to actually confront the tradeoffs that come with these benefits. one of the things we're trying to do at the post with the zero day is not to scream that the sky is falling, because it is not, but to try to make clear that there are trade-offs so people could start making better decisions and start asking for better security, and in some ways may be eventually asked the companies that are making technology and writing code to
6:52pm
shoulder the full cost of doing business, which i would argue involves creating a secure product. >> charlie miller, what about when it comes to social media and the sharing of the information that we as consumers do with google, facebook, etc.? does that lend itself to less secure networks? >> it does not affect the network, per say, but it puts a lot of our confirmation, sometimes private information out there. if you had never connected to the internet, nobody would necessarily know what you like or if you are dating someone or whatever, but with facebook and social media, that information is there. even if you lock that doubt were only friends concede, it is still out there on some server somewhere so a bad guy could get to it. when you consider that a while ago and no one would ever agree to carry around a tracking device, right, but now we all carry around sell funds which can be inherently tract.
6:53pm
and nobody would have ever let anybody read their email, but right now a lot of us use g- mail, and our email is sitting on a server at google. it is interesting when we as a society have given our information out. whether we want it to be for everyone or just for a few people, is out there on someone's server and people can get to it. that has changed the whole way of privacy in this age. >> are you finding as a security consultant at the social media's of the world, twitter, facebook, google, etc., that they are leading in security precautions or not? >> well, some of them certainly are. google makes the show, for sure, for having a pretty secure web browser, chrome, but not too long ago they were attacked by ed they think the chinese and were able to get into their
6:54pm
networks and steal a lot of data. so even the best get hit. another example is microsoft about tenure started a program to try to boost the security of their software. windows98 was really awful, but the latest version of windows is quite good. they have spent a lot of time trying to make it better, but still, every month when you have to download a new patch, if that is because somebody found a vulnerability. there is still a long way to go and we all rely on the software and we are all vulnerable because of the software. >> a couple of thoughts. this is a thread i am pursuing right now as part of my series. it turns out that a lot of people have heard of electronic medical records, and i am just now learning that a lot of those records that are being created as part of the health care reform are being kept on remote servers. in fact, the doctors to have
6:55pm
this system cannot have the records anymore. they are being kept by contractors on servers. the other thing that is interesting is i think the software makers and vendors really ought to get credit for improving security. things are much better on a lot of products and software than they were five years ago, 10 years ago certainly. what i have been hearing lately over and over again is that the bad guys are getting faster than the good guys are getting better. in other words, the attack methods, the cleverness, the ways of evading detection are improving faster than security on the good side of things. and of course that is very troubling. in part because when you boil it down, nobody still fully understands what happens when billions of people and billions of devices interact in cyberspace and the bad guys take advantage of those clouds of
6:56pm
uncertainty. >> charlie miller, what is your message to congress, to the department of homeland security, to dod? >> well, i guess that it would be that we spent a lot of time, we are a lot better than we were 10 years ago. we are less vulnerable. software is better and we have protections built in, but if you want to run a company and keep out the average hacker, we know how to do that. what we don't know how to do is secure, you know, military systems from a tax by other governments. so well funded, very creative hackers can still beat us. we need to figure out whether it is holding vendors to task, building new defenses we do not know yet. we need to figure out how to defend against it attackers, which we don't know how to do yet. >> robert o'harrow, your series, which is linked to our c-span
6:57pm
website if you would like to see the series, has gotten some response from dhs. often when you write, the next day there is an official announcement. >> right, there has been some reaction to it. that is more typical of an investigative series, but i am trying to merge the homework with mentors like charlie miller and officials and the government, these young guys were breaking into things, teaching. so there has been some response, and that is gratifying. i think our mission at "the washington post" is somewhat platonic in the sense that we really want to teach people so that everybody is on the same page, generally speaking, so that good policy can grow from that. we are not in a position of offering policy suggestions because it is so complex and difficult, but i do think that congress -- if i had won it
6:58pm
recommendation, it would be good if they first themselves on the subject and then came up with some plans for making things better. and we're trying to contribute further to the education. the post has a conference with some very senior former intelligence officials, hackers and others, at the end of the month, and they can find out more at washingtonpost.com. it will be open to the public and will be a fascinating day because we will have, as i said, people directly involved in helping establish policy, formerly running, for example, the nsa, cyber command, getting together to discuss these issues and going through some scenarios. like i said, that will be at the end of the month at the washington post. >> robert o'harrow's series in the loss to pose is linked to our site at c-
6:59pm
span.org/thecommunicators if you would like to read for yourself. charlie miller is at a computer researcher and twitter employee, also known as a good guy hacker, joining us from st. louis. mr. o'harrow, thank you for being on "the communicators." >> thank you for having me. >> tomorrow on "washington journal," we look at early voting with michael mcdonald. then we look to the battleground state of pennsylvania. first, the state's political history and strategies for each campaign. we are joined by terry madonna. that is followed by a round table look at the politics of the state with the chair of the pennsylvania republican party, and the chairman of the montgomery county board of commissioners. "washington journal," with your calls, tweets, and emialails,